Services like OVH, Cloudflare and Gandi assisted LE to take down the Encrochat network that was used by criminals.
Source: Piped
At Jan 2019, French LE took copies of OVH’s VMs from a server at Roubaix. Then at 31 March 2020, OVH redirected traffic Encrohat’s update servers to LE.
At 29 March 2022, new certificates issued for encrochat.network using Cloudflare and pointing at Cloudflare’s IP.
This reminds me with the case of xmpp.ru / jabber.ru where Hetzner and Linode issued a compromised certificate so it can intercept messages by this xmpp’s server users. Source: Encrypted traffic interception on Hetzner and Linode targeting the largest Russian XMPP (Jabber) messaging service — , some mitigations were proposed.
Another case where RaidForums (BreachForums predecessor) DNS servers were changed to Cloudflare’s nameservers when the website was seized secretly by the LE and prompted users to a fake login page in a phishing attempt to gather threat actors’ credentials.
On February 27th, 2022, the DNS servers for raidforums.com was suddenly changed to the following servers:
jocelyn.ns.cloudflare.com plato.ns.cloudflare.comAs these DNS servers were previously used with other sites seized by law enforcement, including weleakinfo.com and doublevpn.com, researchers believed that this added further support that the domain was seized.
Source: RaidForums hacking forum seized by police, owner arrested
At 20 March 2020, Encrochat DNS provider Gandi “redirect directly” for all Encrochat to LE. For some reason at 1 April 2020, one of Encrochat’s DNS change from dnsmadeeasy to Gandi back and forth but at the middle of the day, LE injected malware into Encrohat’s update servers collecting the following data:
They made sure Encrochat could never recover back by controlling the server and DNS and certificates making the malware persistent even after Encrochat “pushing updates to fix the issues” forcing Encrochat to shutdown.
